add extra $path validation to TenantAssetsController

2025-12-12 18:04:03 +00:00 · 2023-08-24 18:21:23 +02:00 · 2023-08-24 18:21:23 +02:00 · 4af70d302f
commit 4af70d302f
parent 395192442d
3 changed files with 31 additions and 1 deletions
--- a/src/Controllers/TenantAssetsController.php
+++ b/src/Controllers/TenantAssetsController.php
@ -18,7 +18,7 @@ class TenantAssetsController extends Controller

    public function asset($path = null)
    {
-        abort_if($path === null, 404);
+        $this->validatePath($path);

        try {
            return response()->file(storage_path("app/public/$path"));
@ -26,4 +26,20 @@ class TenantAssetsController extends Controller
            abort(404);
        }
    }
+
+    /**
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     */
+    protected function validatePath(string|null $path): void
+    {
+        abort_if($path === null, 404);
+
+        $allowedRoot = storage_path('app/public');
+
+        // Prevent path traversal attacks. This is generally a non-issue on modern
+        // webservers but it's still worth handling on the application level as well.
+        if (! str(realpath("{$allowedRoot}/{$path}"))->startsWith($allowedRoot)) {
+            abort(403);
+        }
+    }
 }